If you bind a value to a tooltiptext attribute and that value is something like '/><script>alert("Hi!")</script><!--', the HTML doesn't get escaped and is executed. This doesn't happen with Label, I think.