diff --git a/CHANGELOG b/CHANGELOG
index 585b98dcd..02b9e3df2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,9 @@ Nmap 6.45 [2014-04-11]
 o NOTE THAT THE CHANGELOG FOR THIS RELEASE IS INCOMPLETE.  We plan to
   finish it soon.
 
+o [NSE] Improved performance of citrixlua library when handling large XML
+  responses containing application lists. [Tom Sellers]
+  
 o [NSE] Add ssl-heartbleed script to detect the Heartbleed bug in OpenSSL
   CVE-2014-0160 [Patrik Karlsson]
   
diff --git a/nselib/citrixxml.lua b/nselib/citrixxml.lua
index f6b8df4ca..007d0a7a9 100644
--- a/nselib/citrixxml.lua
+++ b/nselib/citrixxml.lua
@@ -34,19 +34,22 @@ function decode_xml_document(xmldata)
 
   if not xmldata then
     return ""
-  end
-
-  local newstr = xmldata
-
-  for m in xmldata:gmatch("(&#%d+;)") do
-    hexval = m:match("(%d+)")
-
-    if ( hexval ) then
-      newstr = xmldata:gsub(m, string.char(hexval))
-    end
-  end
-
-  return newstr
+  end
+
+  local newstr = xmldata
+  local escaped_val
+
+  while string.match(newstr, "(&#%d+;)" ) do
+    escaped_val = string.match(newstr, "(&#%d+;)")
+    hexval = escaped_val:match("(%d+)")
+
+    if ( hexval ) then
+      newstr, _ = newstr:gsub(escaped_val, string.char(hexval))
+    end
+
+  end
+
+  return newstr
 
 end