The default text widget – WP_Widget_Text
– can be found in wp-includes/default-widgets.php
. The input is handled like this:
stripslashes( wp_filter_post_kses( addslashes( $text ) ) );
for the text;
I assume this should work likewise for your custom widget. Additionally there is:
wpautop( $text )
on the output, if the filter is set to do that;
But optimally you’re taking a look at the source yourself.
Additionally the codex articles:
give you an good overview about sanitizing, escaping and validating possibilities with WP.