As of SourceForge 4.2, it is possible to configure the application to force your users to download files, instead of letting them open them within the browser.
Turning this mode on can prevent some of the more basic attacks on your other users. Simply add the following line to /usr/local/sourceforge/sourceforge_home/etc/sourceforge_configuration.properties:
sf.safeDownloadMode=all
Once the line is in place, simply restart SourceForge for it to take effect. The default for SourceForge sets this to none, which means that the user's browser will present them with the normal Open/Save options when clicking on files. When you set this to "all", that pop-up will be altered so that the user's only choice is Save. Should you wish, you can also set this value to "html" to force the user to save only html documents, while allowing all other content to behave as normal.