Range description is not encoded in firewall_schedule.php
On firewall_schedule.php the rangedescr for time ranges is not encoded before display. However, an invalid entry cannot be made using the GUI to take advantage of the issue.
Achieving an XSS requires manually modifying a backup to trigger the issue, and if someone can restore a manually modified backup, there are many worse things they could do. Thus it is not considered a viable threat.