I stumbled upon Microsoft ASP.NET's WingTipToy project where the line of code uses <%#: instead of <%#
What's the real main difference here?
By adding the (:) to the end of the <%# prefix, the result of the data-binding expression is HTML-encoded. When the result is HTML-encoded, your application is better protected against cross-site script injection (XSS) and HTML injection attacks