Comment by eli

You figured all that out just because the headers indicate the site passed through Cloudflare at one point? That's quite a leap!

If Cloudflare had a default rule that made it impossible to write that string on any site with their WAF, wouldn't this be a lot more widespread? Much more likely someone entered a bad rule into Cloudflare, or Cloudflare isn't involved in that rule at all.