Again, looking through with a a magnifying glass trying to find the issues that commenter seemed to see.
I found 2 issues.
htmlentities($value, ENT_QUOTES, 'UTF-8', false);
Note: You should use whatever encoding the user is (I imagine it is a config option somewhere I didn't see).
Even though this still does not stop all possible threats, it is a better option.
Overall, I think that for input/output filtering you should use something along the lines of HTML Purifier or htmLawed. They add a bit of bulk and are slower, but they do a much much better job of preventing XSS and other types of attacks.
"One more thing I didn’t put in the issues: Check if the value is an array when a string is expected."
"If you are sanitizing the post or get data there could be array in there (checkboxes) which would cause an issue for most filters."