You are correct: I reinstated the sprintf there.
This meant that the issue remained for that one.
I therefore corrected the issue in the library

To test: Edit a link in the redirect component after adding a single quote in the string:
COM_REDIRECT_EDIT_LINK="Edit Link #%d"
to
COM_REDIRECT_EDIT_LINK="Edit' Link #%d"

Would it work to htmlspecialchars the results from JText? I didn't test but sounds like encoding the single quote (and other special HTML chars) would solve the issue. Eg:
htmlspecialchars(JText::sprintf('COM_REDIRECT_EDIT_LINK', $this->item->id, true))

I think it is better to do it correctly globally in the library here infograf768@f4f1148 instead of having to do it for each possible occurence, so that the issue is not only corrected for core but also for 3pds

That's the wrong escaping and at the wrong place (and suggestion of JM goes into the right direction but not far enough):

1. The right place to escape title is in layout libraries.cms.html.bootstrap.addtabscript called from here: https://github.com/infograf768/joomla-cms/blob/f4f11485e6c5e6ca72b3d9347632bc3fef53ad97/libraries/cms/html/bootstrap.php#L722

2. The right method to escape javascript strings is addslashes and not htmlspecialchars.

Best Regards,
Beat

thanks. Patch now uses addslashes

As proposed in chat, addslashes should be in file
https://github.com/infograf768/joomla-cms/blob/bootstrap_tabs/layouts/libraries/cms/html/bootstrap/addtabscript.php
(gave you source code in chat as github does a 404 when i try saving editing that file!)