Since <script> tags can be put within the <body>, the location makes no difference.
Do you want <div> and <iframe> tags, too? It's just too many ways to mess-up your page if you allow HTML tags.
For my clients, I've written something like your ckeditor but have it add code like SitePoint uses. Try making parts of your text bold or italic - that's what I've done and it works fine (safe).
If you can envision all the various nonsense that hackers can use (like encoding < as < or %3c), then MAYBE you can outguess ALL the hackers attempts to use your site as a launching pad for SPAM (and other exploits). IMHO, it's not worth the effort. Learn from SitePoint's code.