It seems like there is a possible vulnerability in using the List editor with the Object item-type. Modal.prototype.itemToString does not escape the values by default which makes it vulnerable to XSS attacks.

Here is a simple example: https://jsfiddle.net/wesvetter/sh57z7ba/2/

If this is the intended behavior then a note should be added to the README so that users are aware of the behavior.