It is indeed a bug. I too had this problem with needing to use an apostrophe in a tag. Since single quotes ( ' ) are allowed in URL's, trying to format with htmlentities or urlencode in the controller (or the template $Link.XML method) had no effect on the actual URL being generated by the link.
Instead, I found that the tag code was being converted to it's HTML entity (') prior to the SQL query being run:
In BlogTree_Controller::SelectedTag() (Convert::raw2xml() - BlogTree.php line #300).
My simple solution was to edit BlogTree.php line #300 to remove the raw2xml conversion as below:
return ($this->request->latestParam('Action') == 'tag') ? $this->request->latestParam('ID') : '';
It's perhaps a temporary solution, but it certainly worked for me.
On second thought, it's probably best to keep the raw2xml conversion in the SelectedTag() function, as this function is also used for template output. Instead, edit BlogTree.php line #160 to revert the xml conversion back to raw for the purpose of escaping for the query:
$SQL_tag = Convert::raw2sql(Convert::xml2raw($tag));
This is probably the better solution.