With html5 just about anything other than a space character is a valid.

http://www.w3.org/TR/html5/elements.html#the-id-attribute

http://www.456bereastreet.com/archive/201011/html5_allows_almost_any_value_for_the_id_attribute_use_wisely/

Should we be extra protective and try to  escape anything that would cause a problem?  Something like:

1. hash.replace( /([;&,.+*~`\':"!^$[\]()=>{}|\/@])/g, "\\$1" );