Yep, I confirm; it happened to me
today and I had to remove the "<?
.php". It's weird, because any text that's written to a post is recognized as text from the forum software, and so should from Cloudflare.
I don't think the problem has to do with "attack with back-end execution". It's rather just a bug. How do I know? Try previewing
this post which includes the php format intro and runs normally, and now try previewing
this post, which is the same plus the next sentence; it will fail.