I think (s?)he meant upload the image to someone else's site. The malicious code be running on that site... not your own. So then it does have access to that site's cookies.
Right. I just took the example squirrel page, saved it, altered the comment section of the image to insert some javascript code alert('Hello') and opened it in my browser. It works but only if it is interpreted as html. So you'd need to be able to control it more.