The harm is not in that script being stored on the server, the harm is in that script being executed when you call up a page that executes it (in your example that would be a page displaying your first name). But this is a big subject, and many treatises have been written about it; the
https://coderanch.com/how-to/java/SecurityFaq#web-apps points to a couple of them that discuss XSS at length.