We use Cloudflare Pro with WAF enabled. When trying to save an advert etc - this triggers a WAF rule: 100173 XSS, HTML Injection - Script Tag. The only solution is to disable the WAF for the save path. But this isn't really a safe thing to do.
Can this be rectified in a later version?