The default text widget – WP_Widget_Text – can be found in wp-includes/default-widgets.php. The input is handled like this:
stripslashes( wp_filter_post_kses( addslashes( $text ) ) );for the text;
I assume this should work likewise for your custom widget. Additionally there is:
wpautop( $text )on the output, if the filter is set to do that;
But optimally you’re taking a look at the source yourself.
Additionally the codex articles:
give you an good overview about sanitizing, escaping and validating possibilities with WP.