As can be seen by this blog post from Microsoft and this mapping of asp.net control encodings, there are a large number of ASP.NET built in controls that don't escape the values provided
This is one of the root causes of a large number of XSS issues
Here is test that proves that the ASP.NET HtmlTitle, Literal and LinkButton are not escaping the .Text value