I have contacted the Sling developers first,but they told me this is a logback issue,so I reported this issue here.

The safest way to prevent XXE is always to disable DTDs (External Entities) completely.

Here is a reference from owasp about fixing xxe.

Please refer  https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md