Quick note. I removed the XML and the startup parameters and tested. I received the same invalid character message. I added them back, and again got the same invalid character message.
At this point I can’t tell if my server is vulnerable or fixed because it’s the same message either way.