Always sanitize output to the browser.

If a value like "><script>blabla</script> is inserted as a value for your fields, a user can essentially take over your entire site. It will probably make a mess when it comes to validation and correct code, but the script will still be run.

So to answer your question: No, it is not guaranteed that HTML-title attributes are displayed as plain text if the user knows what he/she is doing.

Surprisingly, still, no right answer in 5 years. The answer is: yes, you need to encode the title attribute, but not everything that is encoded in the innerText of the element.

The proper way to do it in asp.net if you do your own markup is:

string markup = string.Format("<div class='myClass' title='{0}'>{1}</div>",
   System.Web.HttpUtility.HtmlAttributeEncode(myText), 
   System.Web.HttpUtility.HtmlEncode(myText));

The above will set both innerText and title of the div to myText, which is customary for elements that may contain long text but are constrained in width (as I believe the question implies).

I think there may be some confusion going on with this thread.

Firstly <asp:Label> is an ASP.NET Web Control. The Text and ToolTip attributes are "abstractions" of the inline content and 'title' attributes of an HTML tag respectively.

For these particular two properties Microsoft will perform the HTML Encoding for you automatically so if you set ToolTip="H&S<" then the <span> tag will be rendered as <span title="H&amp;S&lt;"...>. The same goes for the Text property.

NOTE: Not all properties perform automatic encoding (HTML or InnerContent properties for example)

If however you are generating HTML tags directly (Response.Write("<span...") for example) then you MUST http encode the text content and tooltip attributes content if:

• Those values originate from a user / external unsanitised source or
• If there is a possibility that the content may contain characters that should be escaped (& < > etc.)

Usually this means that it is safe to to:

Hardcoded content with no http characters:

Response.Write("<span title='Book Reference'>The art of zen</span>"); // SAFE

Hardcoded content with http characters that you manualle encode:

Response.Write("<span title='Book &amp; Reference'>The art &amp; zen</span>"); // SAFE

Dynamically sourced content:

Response.Write("<span title='"+sTitle+"'>"+sText+"</span>"); // UNSAFE Response.Write("<span title='"+HttpUtility.HtmlEncode(sTitle)+"'>" +HttpUtility.HtmlEncode(sText)+"</span>"); // SAFE

Beside security reasons:

Title attributes should always be plain text but certain JS plugins misuse them to display 'rich' tooltips (i.e. HTML code with bold text, emphasis, links and so on).

As for browsers and AFAIK they are displayed as plain text and tooltips, never displayed to those who use tabbed navigation (keyboard) and scren readers give to their users (blind and partially sighted people) many options, like reading the longest between link title and its text or always title or never ...

Another point:

Who cares how the title attribute is rendered by a browser, when it is the presence of malicious strings in the source code that could present an issue?

It doesn't matter how it is displayed, the question is: how does it appear in the source code?

(As already stated, if you're pumping strings to the client, do something to sanitize those strings.)

The ToolTip property of a ASP.NET control will auto encode the value on output/rendering.

This means it is safe to set the tooltip to plain text as the page will sanitize the text on rendering.

Label1.ToolTip = "Some encoded text < Tag >"

Renders HTML output as:

<span title="Some encoded text &lt; Tag >"></span>

If you need to use text that is already encoded, you can set the title attribute instead. The title attribute will not be automatically encoded on rendering:

Label1.Attributes("title") = "Some encoded text < Tag >"

Renders HTML output as:

<span title="Some encoded text &lt; Tag &gt;"></span>