--- src/core/src/main/java/org/apache/struts/util/RequestUtils.java	2008-06-05 00:14:36.000000000 +0200
+++ src/core/src/main/java/org/apache/struts/util/RequestUtils.java-gil	2014-08-12 13:28:38.505029656 +0200
@@ -54,6 +54,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 /**
  * <p>General purpose utility methods related to processing a servlet request
@@ -69,6 +70,13 @@
      */
     protected static Log log = LogFactory.getLog(RequestUtils.class);
 
+    /**
+    * <p>Pattern matching 'class' access.</p>
+    */
+    protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
+            .compile("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
+                    Pattern.CASE_INSENSITIVE);
+
     // --------------------------------------------------------- Public Methods
 
     /**
@@ -463,7 +471,8 @@
 
             // Populate parameters, except "standard" struts attributes
             // such as 'org.apache.struts.action.CANCEL'
-            if (!(stripped.startsWith("org.apache.struts."))) {
+            if (!(stripped.startsWith("org.apache.struts."))
+                    && !CLASS_ACCESS_PATTERN.matcher(stripped).matches()) {
                 properties.put(stripped, parameterValue);
             }
         }