Editorial: use new user activation model

index.html

@@ -961,9 +961,9 @@ <h2>
           </li>
           <li data-tests=
           "payment-request-show-method.https.html, show-method-postmessage-manual.https.html">
-          If the method was not triggered by <a>transient activation</a>, or
-          the |window|'s <a>transient activation</a> has expired, return [=a
-          promise rejected with=] with a {{"SecurityError"}} {{DOMException}}.
+          If the method was not triggered by [=transient activation=], or the
+          |window|'s [=transient activation=] has expired, return [=a promise
+          rejected with=] with a {{"SecurityError"}} {{DOMException}}.
           </li>
           <li>Let |request:PaymentRequest| be the <a>context object</a>.
           </li>
@@ -5132,8 +5132,8 @@ <h2>
         <p>
           To help ensure that users do not inadvertently share sensitive
           credentials with an origin, this API requires that PaymentRequest's
-          <a>show()</a> method be triggered by <a>transient activation</a>
-          (e.g., via a click or press).
+          <a>show()</a> method be triggered by [=transient activation=] (e.g.,
+          via a click or press).
         </p>
         <p>
           To avoid a confusing user experience, this specification limits the