Via Chris I found the XSS Cheat Sheet, which shows a looot of possible XSS attacks. I didn't test all on my script, but one I spotted was that &106 is a prefectly valid entity (without semicolon…). The script is fixed, since html_entity_decode() doesn't recognize that either.
Tidy would have fixed that, so I really highly recommend running tidy before trying to do any XSS prevention. Tidy removes a lot of dirty HTML tricks in the first place and makes your XSS prevention script much simpler (but the goal of my script was to not rely on tidy, otherwise the regexes would be much shorter and my life easier ;) )