> But maybe it's misconfiguration on side of cloudflare user because I can remember they at least had a WAF product in the past

They still have a WAF product, though I don't think anything in the standard managed ruleset will fire just on quotes, the SQLi and XSS checks are a bit more sophisticated than that.

From personal experience, they will fire a lot if someone uses a WAF-protected CMS to write a post about SQL.